1. Field of the Invention
The present invention relates generally to controlling the use of a computer system and, more particularly, to a system and method for restricting access to specified application programs and/or data and to reliably auditing computer usage.
2. Related Art
Computer Security PA0 Computer Viruses PA0 HI System: PA0 AA system: PA0 CE System:
Many organizations (e.g., businesses, government agencies) wish to control how data will be processed or stored by computer systems that are owned, operated by, or otherwise related to the organizations. The field of computer security is broadly concerned with designing and building computer systems that permit organizations that employ computer systems to control how data is processed using the computing systems according to particular security policies. A security policy (in this context) is a set of rules about how data may be processed.
The need to control how computer systems are used is related to organizational goals. For example, a business might want to protect inventory records from unauthorized modifications; a government agency processing sensitive information might want to control access to data so that users can only access information according to their security clearances. To allow organizations control over their computer systems, many conventional computer systems provide security controls that allow a computer system administrator to limit the actions that may be taken by users of the computer system. Security controls fall broadly into two groups: discretionary controls and mandatory controls.
Discretionary security controls are generally based on the identity of users as they are known to a computer system and the "ownership of" or "control over" data stored for particular users by the computer system. Each user can employ discretionary controls to reduce the access of other users to data that is owned or controlled by that user. A weakness of discretionary controls is that, in conventional computer systems, each application program that is executed by a user possesses all of that user's discretionary rights and can use those rights to change controls on the user's data contrary to the user's wishes. An application program that is designed to do this is known as a "Trojan Horse" program because it often performs an undesirable function without the user's knowledge.
Mandatory security controls are generally based on some computer system-maintained attribute of users and the data that users access. Often, this attribute is a "security level" that is used by the computer system to decide if a particular user may access data stored on the computer system. For instance, a user with a "Confidential" clearance may be prohibited access to data that is classified as "Top Secret."
The mandatory and discretionary controls are implemented, at least in part, by an operating system of the computer system. The operating system is a body of software that controls (i.e., manages the usage of) physical resources such as central processing units (CPU)s, random access memory (RAM) (also referred to as "memory"), disk drives, networks, monitors, etc. By managing these resources, the software provides a way for users and application programs to use the resources in a more convenient way. The operating system includes a kernel, or resident portion, that is always in RAM. The kernel acts as the "traffic cop" to manage both other pans of the operating system and the application programs. Additionally, the operating system usually includes numerous utility programs that are to be used only by an "administrator".
As used in this document, an "administrator" is a user or organization with current authority to perform system administrative functions such as maintaining and updating the operating system, whereas an "ordinary user" is a person who currently lacks such authority. Note that the same person could at some times be an administrator and at some times be an ordinary user. For example, a person may be an administrator when logged in with one login name and password, and an ordinary user when logged in with a different login name and password. In different systems, various procedures are used by administrators and ordinary users to take on their respective roles.
The operating system utilities may be distinct from the application programs. Although the dividing line between the two can be somewhat fuzzy, an operating system utility generally is distributed as part of an operating system, and maintains and supports the functions of the operating system. Also, an operating system utility may require special privileges (only possessed by the administrator) to perform its function. An application program, on the other hand, is a program that is designed to address a specific problem domain and that "uses" the services provided by the operating system.
A single program can be both an operating system utility and an application program, depending on how it is used. When executed by an administrator and with the privileges to perform its intended function, it is an operating system program. When executed by an ordinary user with no special privilege, it is an application program.
Most multi-user computer systems provide some discretionary security controls. Additionally, a number of computer systems provide mandatory controls and a set of features that facilitate the administration of computer security policies. The Trusted Computer Security Evaluation Criteria (TCSEC) is a National Computer Security Center (NCSC) standard for evaluating computers that provide security features. The TCSEC, also known as the "Orange Book", is fully described in the National Computer Security Center, Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, Dec. 1985. The TCSEC has been used to evaluate numerous computer systems, including Multics, SCOMP, and Trusted XENIX.
Computer systems that provide access controls also must provide privileges that allow the controls to be overridden for system maintenance, software installation, etcetera. In the Unix operating system, for example, every process has an identifier that indicates the user for which the process is running. (Unix is a registered trademark of Unix System Laboratories, Inc. Different versions of Unix are commercially available from a number of sources.) Many Unix access controls are relaxed for a process running as the administrator (also called the root user). In other operating systems, such as V AX VMS, privilege is also associated with processes. (VAX VMS is a product of Digital Equipment Corporation.)
Although computer systems found to be trusted according to the TCSEC provide strong controls over the use of privilege, such systems are prohibitively expensive for many applications.
Most conventional operating systems (including Unix) control privilege using only discretionary access controls. Controlling privilege using discretionary access controls is a serious deficiency in conventional systems because discretionary controls do not provide high assurance that ordinary users cannot obtain inappropriate privileges and then use those privileges to modify the operating system or the applications. A typical example of a potential circumvention of discretionary access controls occurs when the password of a privileged user is observed. This is not an unusual occurrence, as passwords are notoriously difficult to keep secret. This deficiency is a particular concern for computer systems that are exposed to network-based attacks, because an intruder can obtain total control over a remote system.
Conventional mandatory and discretionary security controls assume an operating environment where ordinary users and application programs are potentially malicious. In such an environment, it is the responsibility of the computer system (and its administrators) to ensure that malicious programs or ordinary users cannot disrupt organizational goals. Conventionally, the computer system and administrators focus primarily on protecting data that is stored or processed on the computer system, and on protecting the continuous availability of the computer system.
Because conventional security controls make this assumption, they do not adequately support policies that prohibit execution of certain programs or algorithms. Execution control policies could provide significant benefits both for improved utilization of computer resources and data protection. For instance, execution control can prevent the execution of programs that might misuse computing resources. Furthermore, execution control can prevent the execution of programs that might attack the traditional mandatory and discretionary controls.
Certain execution control policies can be implemented through suitable configuration of mandatory and discretionary access controls of a conventional system. On some conventional systems, the administrator can configure the discretionary controls to prevent ordinary users from executing any but a preselected set of programs. For example, a Unix system can be configured to allow ordinary users to execute only a specified set of application programs. One way to accomplish this is where the administrator removes execute access from all programs except for those in the specified set, and then removes write and read discretionary access from these programs. Such an execution control policy is not practical, however, because almost all useful systems require applications (e.g., text editors) that allow ordinary users to create arbitrary files. Once files are created, it is possible (under Unix and under most operating systems) to execute them as new programs.
Some operating systems allow any file to be executed (e.g., MS-DOS). Others, including Unix, however, require that files be designated as "executable" before an ordinary user can execute them. Using this feature, it would appear that execution control could be achieved by making small changes to an operating system to prevent ordinary users (other than the root ordinary user) from ever adding execute status to a file. With this modification, however, the strength of the execution control would depend on the proper use of the root user id. That is, the strength would depend on the discretionary controls that are available to the root user. As discussed above, discretionary controls are vulnerable to Trojan Horse attacks.
A typical Trojan Horse attack in a Unix system involves an unauthorized ordinary user gaining root access. Numerous Unix processes usually run with the root id. Using a discretionary control based solution would make execution controls dependent on the correctness of all of those programs. Installing new versions of programs that run with the root privilege is a typical system administrative task. The introduction of any corrupted program would render the execution controls ineffective for the entire system. The execution control policies available with conventional operating systems thus do not adequately assure system security.
Often, a malicious ordinary user (called an attacker) relies on the ability to create and execute malicious programs on the target computer system. A first technique the attacker often uses is to create a Trojan Horse program that performs an apparently useful function and then saves the access rights of its ordinary user. Once a "victim" ordinary user runs the program, his access rights are saved in the form of a new executable program that runs with the victim's attributes when executed by the attacker. A second technique the attacker may use is to take advantage of errors in access controls or other system services so as to enable him to manipulate the operating system to his advantage. Often, these errors can only be exploited by writing a Trojan Horse program. A system with a strong mechanism for controlling execution could prevent the attacker from creating and executing programs, and could therefore prevent penetration by these two common techniques.
A related deficiency in the conventional art is that, once an attacker has penetrated a system, he can often "erase his footprints" by altering system logs that might reveal the attack. The privileges that enabled the attacker to penetrate the system commonly enable him to modify such logs.
The deficiencies in the conventional techniques for controlling how computers are used indicate that what is needed is a computer system which enables an administrator to reliably control what application programs are executed, and which provides the administrator with a reliable audit trail of how it has been used.
Another vulnerability of conventional computer systems is infection by computer viruses. A computer virus is a program that replicates itself by inserting copies of itself (or some derivation of itself) into existing programs. A program is said to be infected when it has been so modified. When an infected program is run, it executes the viral code that usually attempts to infect more programs.
In addition to propagating, virus programs may perform other functions. Although these functions may be beneficial, virus programs are generally malicious and take advantage of their stealth to alter program behavior in undesirable ways without the knowledge of ordinary users.
To reduce the chance of detection, a virus usually attempts to avoid infecting programs multiple times (which would increase the program size without bound). To avoid multiple infections, viruses typically add a "virus signature" to infected programs. Before infecting a program, a virus checks for its signature to determine if the program is already infected.
Virus countermeasures fall into two groups: infection prevention and infection detection (and removal). Most anti-virus products (e.g., Norton Antivirus, available from Norton Utilities, Inc. and Flu-shot, available from Semantec, Inc.) perform virus detection by scanning executable files for particular virus signatures and by computing checksums. Other detection methods are presented in M. M. King, "Identifying and Controlling Undesirable Program Behaviors," Proceedings of the 14th National Computer Security Conference, Oct. 1-4, 1991, Washington D.C. pp. 283-294; as well as in R. Davis, "Peeling the Viral Onion," Proceedings of the 14th National Computer Security Conference, Oct. 1-4, 1991, Washington D.C. pp. 417-426. There are no reliable software-based forms of virus prevention. Two serious deficiencies of current anti-virus techniques are thus that virus code may execute before a virus is detected, and that viruses whose signatures or behaviors are not known to the detection program may not be detected.
Typically, virus propagation is slowed but not completely impeded by discretionary controls. The reason is that viruses take on the discretionary abilities of the ordinary users that (unknowingly) execute the virus programs. (A virus can be viewed as a special kind of Trojan Horse program.) When a privileged user executes a virus-infected program, other programs may become vulnerable.
A possible approach to controlling virus propagation is to prevent insertion to, modification to, or removal of an approved set of executable programs. Such an approach would not prevent all kinds of viruses. For instance, some viruses are in programs that are not directly executed by a machine's CPU, but are instead "interpreted" by a directly executable program. Such viruses are "data" as far as the computer operating system is concerned, and it is not currently feasible to identify the kinds of data that might be interpreted as programs by other programs. Some conventional computer systems attempt to prevent virus attacks by storing executable programs in files and protecting the files from unauthorized reading, writing, creation or deletion using discretionary access controls. As has been noted above, discretionary access controls do not provide strong protection, and therefore do not adequately control the spread and other damaging effects of viruses.
The deficiencies of the conventional techniques for controlling viruses indicate that what is needed is a computer system which prevents the infection of computer systems and the spread of viruses.